Allied Telesis Support Portal

How AlliedWare Plus can make secure a non secure RADIUS Server

Can I add security to a non secure RADIUS Server?

Introduction

RadSec is an extension to the Remote Authentication Dial-In User Service (RADIUS) authentication protocol that uses Transport Layer Security (TLS) as the transport protocol.
This provides improved security over the standard RADIUS protocol by:

  • Ensuring that protocol messages are encrypted, preventing external entities from snooping for usernames and passwords.
  • Using X.509 certificate chains for identity validation and encryption key exchange.

The previous (insecure) RADIUS implementation used UDP datagrams to carry AAA messages between client and server systems.
These messages are inherently insecure, subjecting the network to intrusion by attackers who can snoop the messages to determine usernames and passwords.


One mechanism for adding RadSec to an existing implementation is by using a proxy application that translates RADIUS UDP datagrams into messages that are carried over TLS.
AlliedWare Plus implements the Open Source application RadSecProxy for achieving this goal. Existing RADIUS applications send UDP datagrams to the RadSecProxy application running on the same device.

RadSecProxy then converts the messages to RadSec TLS messages for transport over the network.

RadSecProxy works for both the client and server sides of the RADIUS exchange.

Prerequisites

  • A trustpoint (named “trustpointname” in the example below), authenticated to an external selfsigned CA, is present on the system.
  • The device has been enrolled to the trustpoint.
  • An IPv4 interface or an IPv4 interface with DNS has been configured on the system.
  • The user names and passwords for remote users exist on the remote RADIUS Server.
  • The RadSec Server running on the remote machine is using version 1.6.7 or higher.
  • The configuration file for the RadSec Server running on the remote machine has been changed to ensure that it acts as a:
    • Client for receiving TLS connection/data on Port 2083.
    • Client to receive replies from FreeRADIUS on Port 11812.
    • Server to pass on RADIUS requests to FreeRADIUS Server on Port 1812.
 

Example

awplus> enable
awplus#configure terminal
awplus(config)##radius-secure-proxy aaa
awplus(config-radsecproxy-aaa)#server radsecserver.local
awplus(config-radsecproxy-aaa)#server trustpoint trustpointname
PKI trustpoints for the RADIUS AAA secure proxy changed to:
 trustpointname
awplus(config-radsecproxy-aaa)#exit
awplus(config)#aaa authentication login default group radius
awplus(config)#exit

awplus#show radius-secure-proxy aaa
Secure (TLS) Proxy via : 127.0.0.1
 Proxy Port : 1645
 Trustpoints : trustpointname
 Cert Name Check : global default on
 Computed Timeout : 7 sec
 Proxy Status : running
Secure (TLS) Server Host : radsecserver.local
 Timeout : default (5 sec)
 Cert Name Check : default (on)
 Auth Acct Auth Acct
Server Host/IP Address Port Port Status Status
-----------------------------------------------------------------
radsecserver.local (TLS Proxy) Alive Alive
  
You can find more information here:
http://www.alliedtelesis.com/documents/public-key-infrastructure-feature-overview-and-configuration-guide